Error: self signed certificate in certificate chain

[JannesMeyer]

My .npmrc looks like this:

registry=http://registry.npmjs.org/
strict-ssl=false
python=python2.7
ca=

It shouldn't even try to open a SSL connection because I'm using HTTP for the registry.

npm install protractor gives an error when running node-gyp "Error: self signed certificate in certificate chain":

> utf-8-validate@1.1.0 install .\node_modules\protractor\node_modules\selenium-webd
river\node_modules\ws\node_modules\utf-8-validate
> node-gyp rebuild


.\node_modules\protractor\node_modules\selenium-webdriver\node_modules\ws\node_modu
les\utf-8-validate>if not defined npm_config_node_gyp (node "C:\Program Files\iojs\node_modules\npm\bin\node-gyp-bin\\..
\..\node_modules\node-gyp\bin\node-gyp.js" rebuild )  else (node  rebuild )
gyp WARN install got an error, rolling back install
gyp ERR! configure error
gyp ERR! stack Error: self signed certificate in certificate chain
gyp ERR! stack     at Error (native)
gyp ERR! stack     at TLSSocket.<anonymous> (_tls_wrap.js:1010:38)
gyp ERR! stack     at emitNone (events.js:67:13)
gyp ERR! stack     at TLSSocket.emit (events.js:166:7)
gyp ERR! stack     at TLSSocket._finishInit (_tls_wrap.js:566:8)
gyp ERR! System Windows_NT 6.3.9600
gyp ERR! command "C:\\Program Files\\iojs\\node.exe" "C:\\Program Files\\iojs\\node_modules\\npm\\node_modules\\node-gyp
\\bin\\node-gyp.js" "rebuild"
gyp ERR! cwd .\node_modules\protractor\node_modules\selenium-webdriver\node_modules
\ws\node_modules\utf-8-validate
gyp ERR! node -v v3.0.0
gyp ERR! node-gyp -v v2.0.2
gyp ERR! not ok

> bufferutil@1.1.0 install .\node_modules\protractor\node_modules\selenium-webdrive
r\node_modules\ws\node_modules\bufferutil
> node-gyp rebuild


.\node_modules\protractor\node_modules\selenium-webdriver\node_modules\ws\node_modu
les\bufferutil>if not defined npm_config_node_gyp (node "C:\Program Files\iojs\node_modules\npm\bin\node-gyp-bin\\..\..\
node_modules\node-gyp\bin\node-gyp.js" rebuild )  else (node  rebuild )
gyp WARN install got an error, rolling back install
gyp ERR! configure error
gyp ERR! stack Error: self signed certificate in certificate chain
gyp ERR! stack     at Error (native)
gyp ERR! stack     at TLSSocket.<anonymous> (_tls_wrap.js:1010:38)
gyp ERR! stack     at emitNone (events.js:67:13)
gyp ERR! stack     at TLSSocket.emit (events.js:166:7)
gyp ERR! stack     at TLSSocket._finishInit (_tls_wrap.js:566:8)
gyp ERR! System Windows_NT 6.3.9600
gyp ERR! command "C:\\Program Files\\iojs\\node.exe" "C:\\Program Files\\iojs\\node_modules\\npm\\node_modules\\node-gyp
\\bin\\node-gyp.js" "rebuild"
gyp ERR! cwd .\node_modules\protractor\node_modules\selenium-webdriver\node_modules
\ws\node_modules\bufferutil
gyp ERR! node -v v3.0.0
gyp ERR! node-gyp -v v2.0.2
gyp ERR! not ok
npm WARN optional dep failed, continuing utf-8-validate@1.1.0
npm WARN optional dep failed, continuing bufferutil@1.1.0
protractor@2.1.0 node_modules\protractor
├── jasminewd@1.1.0
├── jasminewd2@0.0.5
├── html-entities@1.1.3
├── saucelabs@0.1.1
├── q@1.0.0
├── minijasminenode@1.1.1
├── optimist@0.6.1 (wordwrap@0.0.3, minimist@0.0.10)
├── adm-zip@0.4.4
├── glob@3.2.11 (inherits@2.0.1, minimatch@0.3.0)
├── jasmine@2.3.1 (exit@0.1.2, jasmine-core@2.3.4)
├── source-map-support@0.2.10 (source-map@0.1.32)
├── accessibility-developer-tools@2.6.0
├── request@2.36.0 (qs@0.6.6, forever-agent@0.5.2, aws-sign2@0.5.0, oauth-sign@0.3.0, tunnel-agent@0.4.1, json-stringify
-safe@5.0.1, mime@1.2.11, node-uuid@1.4.3, form-data@0.1.4, http-signature@0.10.1, tough-cookie@2.0.0, hawk@1.0.0)
├── lodash@2.4.2
└── selenium-webdriver@2.45.1 (tmp@0.0.24, rimraf@2.4.2, xml2js@0.4.4, ws@0.7.2)
. > npm install protractor
-


> bufferutil@1.1.0 install .\node_modules\protractor\node_modules\selenium-webdrive
r\node_modules\ws\node_modules\bufferutil
> node-gyp rebuild


.\node_modules\protractor\node_modules\selenium-webdriver\node_modules\ws\node_modu
les\bufferutil>if not defined npm_config_node_gyp (node "C:\Program Files\iojs\node_modules\npm\bin\node-gyp-bin\\..\..\
node_modules\node-gyp\bin\node-gyp.js" rebuild )  else (node  rebuild )
gyp WARN install got an error, rolling back install
gyp ERR! configure error
gyp ERR! stack Error: self signed certificate in certificate chain
gyp ERR! stack     at Error (native)
gyp ERR! stack     at TLSSocket.<anonymous> (_tls_wrap.js:1010:38)
gyp ERR! stack     at emitNone (events.js:67:13)
gyp ERR! stack     at TLSSocket.emit (events.js:166:7)
gyp ERR! stack     at TLSSocket._finishInit (_tls_wrap.js:566:8)
gyp ERR! System Windows_NT 6.3.9600
gyp ERR! command "C:\\Program Files\\iojs\\node.exe" "C:\\Program Files\\iojs\\node_modules\\npm\\node_modules\\node-gyp
\\bin\\node-gyp.js" "rebuild"
gyp ERR! cwd .\node_modules\protractor\node_modules\selenium-webdriver\node_modules
\ws\node_modules\bufferutil
gyp ERR! node -v v3.0.0
gyp ERR! node-gyp -v v2.0.2
gyp ERR! not ok

> utf-8-validate@1.1.0 install .\node_modules\protractor\node_modules\selenium-webd
river\node_modules\ws\node_modules\utf-8-validate
> node-gyp rebuild


.\node_modules\protractor\node_modules\selenium-webdriver\node_modules\ws\node_modu
les\utf-8-validate>if not defined npm_config_node_gyp (node "C:\Program Files\iojs\node_modules\npm\bin\node-gyp-bin\\..
\..\node_modules\node-gyp\bin\node-gyp.js" rebuild )  else (node  rebuild )
gyp WARN install got an error, rolling back install
gyp ERR! configure error
gyp ERR! stack Error: self signed certificate in certificate chain
gyp ERR! stack     at Error (native)
gyp ERR! stack     at TLSSocket.<anonymous> (_tls_wrap.js:1010:38)
gyp ERR! stack     at emitNone (events.js:67:13)
gyp ERR! stack     at TLSSocket.emit (events.js:166:7)
gyp ERR! stack     at TLSSocket._finishInit (_tls_wrap.js:566:8)
gyp ERR! System Windows_NT 6.3.9600
gyp ERR! command "C:\\Program Files\\iojs\\node.exe" "C:\\Program Files\\iojs\\node_modules\\npm\\node_modules\\node-gyp
\\bin\\node-gyp.js" "rebuild"
gyp ERR! cwd .\node_modules\protractor\node_modules\selenium-webdriver\node_modules
\ws\node_modules\utf-8-validate
gyp ERR! node -v v3.0.0
gyp ERR! node-gyp -v v2.0.2
gyp ERR! not ok
npm WARN optional dep failed, continuing bufferutil@1.1.0
npm WARN optional dep failed, continuing utf-8-validate@1.1.0
protractor@2.1.0 node_modules\protractor
├── jasminewd@1.1.0
├── jasminewd2@0.0.5
├── html-entities@1.1.3
├── saucelabs@0.1.1
├── q@1.0.0
├── minijasminenode@1.1.1
├── optimist@0.6.1 (wordwrap@0.0.3, minimist@0.0.10)
├── adm-zip@0.4.4
├── glob@3.2.11 (inherits@2.0.1, minimatch@0.3.0)
├── jasmine@2.3.1 (exit@0.1.2, jasmine-core@2.3.4)
├── accessibility-developer-tools@2.6.0
├── source-map-support@0.2.10 (source-map@0.1.32)
├── lodash@2.4.2
├── request@2.36.0 (forever-agent@0.5.2, aws-sign2@0.5.0, qs@0.6.6, oauth-sign@0.3.0, tunnel-agent@0.4.1, json-stringify
-safe@5.0.1, mime@1.2.11, node-uuid@1.4.3, form-data@0.1.4, http-signature@0.10.1, tough-cookie@2.0.0, hawk@1.0.0)
└── selenium-webdriver@2.45.1 (tmp@0.0.24, rimraf@2.4.2, xml2js@0.4.4, ws@0.7.2)
. > npm install protractornpm config set ca ""
. > npm config set ca ""
. > npm install protractor
|
> utf-8-validate@1.1.0 install .\node_modules\protractor\node_modules\selenium-webd
river\node_modules\ws\node_modules\utf-8-validate
> node-gyp rebuild


.\node_modules\protractor\node_modules\selenium-webdriver\node_modules\ws\node_modu
les\utf-8-validate>if not defined npm_config_node_gyp (node "C:\Program Files\iojs\node_modules\npm\bin\node-gyp-bin\\..
\..\node_modules\node-gyp\bin\node-gyp.js" rebuild )  else (node  rebuild )
gyp WARN install got an error, rolling back install
gyp ERR! configure error
gyp ERR! stack Error: self signed certificate in certificate chain
gyp ERR! stack     at Error (native)
gyp ERR! stack     at TLSSocket.<anonymous> (_tls_wrap.js:1010:38)
gyp ERR! stack     at emitNone (events.js:67:13)
gyp ERR! stack     at TLSSocket.emit (events.js:166:7)
gyp ERR! stack     at TLSSocket._finishInit (_tls_wrap.js:566:8)
gyp ERR! System Windows_NT 6.3.9600
gyp ERR! command "C:\\Program Files\\iojs\\node.exe" "C:\\Program Files\\iojs\\node_modules\\npm\\node_modules\\node-gyp
\\bin\\node-gyp.js" "rebuild"
gyp ERR! cwd .\node_modules\protractor\node_modules\selenium-webdriver\node_modules
\ws\node_modules\utf-8-validate
gyp ERR! node -v v3.0.0
gyp ERR! node-gyp -v v2.0.2
gyp ERR! not ok

> bufferutil@1.1.0 install .\node_modules\protractor\node_modules\selenium-webdrive
r\node_modules\ws\node_modules\bufferutil
> node-gyp rebuild


.\node_modules\protractor\node_modules\selenium-webdriver\node_modules\ws\node_modu
les\bufferutil>if not defined npm_config_node_gyp (node "C:\Program Files\iojs\node_modules\npm\bin\node-gyp-bin\\..\..\
node_modules\node-gyp\bin\node-gyp.js" rebuild )  else (node  rebuild )
gyp WARN install got an error, rolling back install
gyp ERR! configure error
gyp ERR! stack Error: self signed certificate in certificate chain
gyp ERR! stack     at Error (native)
gyp ERR! stack     at TLSSocket.<anonymous> (_tls_wrap.js:1010:38)
gyp ERR! stack     at emitNone (events.js:67:13)
gyp ERR! stack     at TLSSocket.emit (events.js:166:7)
gyp ERR! stack     at TLSSocket._finishInit (_tls_wrap.js:566:8)
gyp ERR! System Windows_NT 6.3.9600
gyp ERR! command "C:\\Program Files\\iojs\\node.exe" "C:\\Program Files\\iojs\\node_modules\\npm\\node_modules\\node-gyp
\\bin\\node-gyp.js" "rebuild"
gyp ERR! cwd .\node_modules\protractor\node_modules\selenium-webdriver\node_modules
\ws\node_modules\bufferutil
gyp ERR! node -v v3.0.0
gyp ERR! node-gyp -v v2.0.2
gyp ERR! not ok
npm WARN optional dep failed, continuing utf-8-validate@1.1.0
npm WARN optional dep failed, continuing bufferutil@1.1.0
protractor@2.1.0 node_modules\protractor
├── jasminewd@1.1.0
├── jasminewd2@0.0.5
├── saucelabs@0.1.1
├── html-entities@1.1.3
├── q@1.0.0
├── minijasminenode@1.1.1
├── optimist@0.6.1 (wordwrap@0.0.3, minimist@0.0.10)
├── adm-zip@0.4.4
├── jasmine@2.3.1 (exit@0.1.2, jasmine-core@2.3.4)
├── source-map-support@0.2.10 (source-map@0.1.32)
├── accessibility-developer-tools@2.6.0
├── lodash@2.4.2
├── glob@3.2.11 (inherits@2.0.1, minimatch@0.3.0)
├── request@2.36.0 (aws-sign2@0.5.0, qs@0.6.6, forever-agent@0.5.2, oauth-sign@0.3.0, tunnel-agent@0.4.1, json-stringify
-safe@5.0.1, mime@1.2.11, node-uuid@1.4.3, form-data@0.1.4, http-signature@0.10.1, tough-cookie@2.0.0, hawk@1.0.0)
└── selenium-webdriver@2.45.1 (tmp@0.0.24, rimraf@2.4.2, xml2js@0.4.4, ws@0.7.2)

[JannesMeyer]

Any ideas why this might be happening?

[Megadesty]

Have the same problem with node 4.1 and node-gyp 3.0.3:

gyp WARN install got an error, rolling back install
gyp ERR! configure error
gyp ERR! stack Error: self signed certificate in certificate chain
gyp ERR! stack     at Error (native)
gyp ERR! stack     at TLSSocket.<anonymous> (_tls_wrap.js:1000:38)
gyp ERR! stack     at emitNone (events.js:67:13)
gyp ERR! stack     at TLSSocket.emit (events.js:166:7)
gyp ERR! stack     at TLSSocket._finishInit (_tls_wrap.js:567:8)
gyp ERR! System Windows_NT 6.1.7601
gyp ERR! command "C:\\Program Files (x86)\\nodejs\\node.exe" "C:\\Program Files (x86)\\nodejs\\node_modules\\npm\\node_modules\\node-gyp\\bin\\node-gyp.js" "configure" "--fallback-to-build" "--module=C:\\Users\\user\\AppData\\Roaming\\npm\\node_modules\\node-inspector\\node_modules\\v8-debug\\build\\debug\\v0.5.4\\node-v46-win32-ia32\\debug.node" "--module_name=debug" "--module_path=C:\\Users\\user\\AppData\\Roaming\\npm\\node_modules\\node-inspector\\node_modules\\v8-debug\\build\\debug\\v0.5.4\\node-v46-win32-ia32"
gyp ERR! cwd C:\Users\user\AppData\Roaming\npm\node_modules\node-inspector\node_modules\v8-debug
gyp ERR! node -v v4.1.0
gyp ERR! node-gyp -v v3.0.3
gyp ERR! not ok

[raysuelzer]

Same problem. It doesn't seem to be respecting my global configuration settings for some reason. basically impossible to install behind a corporate proxy.

[warroyo]

Same issue here, can we get a fix for this pelase!

[warroyo]

i found this comment on another issue and it seems to work #448 (comment). just set that environment variable. This is a hacky work around though, node-gyp should respect npmrc.

[bnoordhuis]

node-gyp doesn't use the npm registry, it downloads the tarball from https://nodejs.org/.

Setting NODE_TLS_REJECT_UNAUTHORIZED=0 in the environment will disable verification but you are setting yourself up for a MitM attack. Closing, not a bug but a feature.

[weagle08]

why close this? it seems to be a pretty common issue for a lot of people downloading packages that require node-gyp, and I just installed newest nodejs and npm and am still getting this issue. Using the NODE_TLS_REJECT_UNAUTHORIZED=0 may work, but it is a hack fix.

[bnoordhuis]

Knowing what you know, what would you have node-gyp do differently?

[weagle08]

knowing what I know, I know that this has surpassed my scope of knowledge as far as the internal workings of node-gyp, but would it be possible to have a config file for just node-gyp in which you can set settings like this?

[marksy]

Excuse my ignorance but how do you use NODE_TLS_REJECT_UNAUTHORIZED=0

I'm on Windows using cmd

Do I set this in the: npm confit set NODE_TLS_REJECT_UNAUTHORIZED=0

[marksy]

Config* sorry

[weagle08]

from command line you can do:
set NODE_TLS_REJECT_UNAUTHORIZED=0
npm install [mypackage]

[weagle08]

Or you can set it as a windows environment variable but I would recommend the first option.

[marksy]

Cool thanks @weagle08

[bnoordhuis]

would it be possible to have a config file for just node-gyp in which you can set settings like this?

It's certainly possible but it's not strictly necessary. node-gyp respects the traditional https_proxy environment variable (as does npm, I think.)

[weagle08]

Unfortunately where I work no proxy is provided so these variables don't help. My company plays man in the middle and injects certs and there is nothing I can do about it.

[raysuelzer]

Same issues with the cert injection. I had to modify the node gyp source to remove reference to https:// and rebuild it. The problem is that it doesn't respect the tls config when downloading the tarball.

[Megadesty]

Since node-gyp is a tool for nodejs, but not resides inside of nodejs, I can fully understand why it should not use the node/npm configs for setting the network environment. But I must also agree with the others, that node-gyp should provide it's (optional) own config file, because in my case the system proxy environment is not enough, too: My company's proxy also established a MitM scenario, so I need a strict-ssl=false.

The 'workaround' with NODE_TLS_REJECT_UNAUTHORIZED=0 works, but it is not very user friendly:

• not well documented
• every developer has always to setup his own environment especially for node-gyp
• counter-intuitive if other equivalent tools (in terms of downloading stuff) have a config file for this setting like bower, npm, Atom, etc

[bnoordhuis]

#837 - adds a --cafile option.

[meash-nrel]

so there is now a command line option to provide ca file ... any idea how to engage that when node-gyp is getting called by the NPM install process? i'm not the one calling node-gyp, npm is, via the project file of the module being installed. the solution seems to remain the NODE_TLS_REJECT_UNAUTHORIZED=0 hack.

[bnoordhuis]

If you have the cafile option set in your .npmrc or specified on the command line, then node-gyp should inherit that automatically when invoked by npm.

[hughes]

The cafile option is seemingly ignored by some part of the build process. I could only get this to work with NODE_TLS_REJECT_UNAUTHORIZED=0.

[sdas99]

I am on RHEL7 and I tried export NODE_TLS_REJECT_UNAUTHORIZED=0 but still getting SELF_SIGNED_CERT_IN_CHAIN error. The two modules that are failing to install are bcrypt and libxmljs.

> libxmljs@0.17.1 install /lib/node_modules/libxmljs
> node-gyp rebuild

gyp WARN EACCES user "root" does not have permission to access the dev dir "/root/.node-gyp/0.10.36"
gyp WARN EACCES attempting to reinstall using temporary dev dir "/lib/node_modules/libxmljs/.node-gyp"
gyp WARN install got an error, rolling back install
gyp WARN install got an error, rolling back install
gyp ERR! configure error
gyp ERR! stack Error: SELF_SIGNED_CERT_IN_CHAIN
gyp ERR! stack     at SecurePair.<anonymous> (tls.js:1381:32)
gyp ERR! stack     at SecurePair.emit (events.js:92:17)
gyp ERR! stack     at SecurePair.maybeInitFinished (tls.js:980:10)
gyp ERR! stack     at CleartextStream.read [as _read] (tls.js:472:13)
gyp ERR! stack     at CleartextStream.Readable.read (_stream_readable.js:341:10)
gyp ERR! stack     at EncryptedStream.write [as _write] (tls.js:369:25)
gyp ERR! stack     at doWrite (_stream_writable.js:226:10)
gyp ERR! stack     at writeOrBuffer (_stream_writable.js:216:5)
gyp ERR! stack     at EncryptedStream.Writable.write (_stream_writable.js:183:11)
gyp ERR! stack     at write (_stream_readable.js:602:24)
gyp ERR! System Linux 3.10.0-327.10.1.el7.x86_64
gyp ERR! command "node" "/usr/lib/node_modules/npm/node_modules/node-gyp/bin/node-gyp.js" "rebuild"
gyp ERR! cwd /usr/lib/node_modules/libxmljs
gyp ERR! node -v v0.10.36
gyp ERR! node-gyp -v v3.3.0
gyp ERR! not ok
npm ERR! Linux 3.10.0-327.10.1.el7.x86_64
npm ERR! argv "node" "/usr/bin/npm" "install" "-g" "libxmljs"
npm ERR! node v0.10.36
npm ERR! npm  v3.8.1
npm ERR! code ELIFECYCLE

[brianary]

This would be much better addressed by fixing nodejs/node#3159.

Playing whack-a-mole with npm, Atom, VS code, cUrl, Firefox, &c, &c, &c each using their own cert store when the OS supplies one is an unmanageable mess.

If that's not immediately supported, a standard cafile environment variable that's honored by all parties would at least help.

[chandrunaik]

Can this be helpful?
git config --global http.sslVerify false

[brianary]

No, because I don't want to disable all certificate validation. Decrypting network hardware (substituting their local certs) are used in high-security environments, and accepting every certificate from any source would radically undermine that.

[qbradq]

I work in an environment where our proxies also use this self-signed cert substitution technique. Is there a particular reason to not expect security appliance vendors and operators to start using signed certificates for their appliances? I think the only way we will see a change in behavior is to continue to place that expectation on the vendors and operators. And it's not just Node that has these "issues" dealing with self-signed certs. Every application I support that interacts with the internet is a headache because of this.

[VerdonTrigance]

Windows users: Having cafile=C:\path\to\my\companys\cafile.pem did not work. However removing that line and setting the environment variable below did work:

SET NODE_EXTRA_CA_CERTS=C:\\path\\to\\my\\companys\\cafile.pem

For noobs like me: the .pem file is just the base64 encoded certificates (.cer) of your proxy's CA root (and intermediate).

1. Did you used double slash in path?
2. Is it required to be exactly .pem extension or base64 encoded .cer just fine?
3. Did you used npmrc file?

[skategaru]

Try uninstalling Angular/cli first and installing node-gyp and then try reinstalling Angular cli

npm uninstall -g @angular/cli
npm install -g node-gyp
npm install -g @angular/cli

It worked perfectly

[VerdonTrigance]

I ended with updating Node and everything else to last version and it helped.

[andig]

Same problem here. Running on MacOS, no proxy, no vpn, no custom certificates. Node 14 working finde, Node 16 broken:

❯ NODE_TLS_REJECT_UNAUTHORIZED=0 node-gyp configure
gyp info it worked if it ends with ok
gyp info using node-gyp@8.4.1
gyp info using node@16.13.1 | darwin | arm64
gyp info find Python using Python version 3.9.9 found at "/opt/homebrew/opt/python@3.9/bin/python3.9"
gyp http GET https://nodejs.org/download/release/v16.13.1/node-v16.13.1-headers.tar.gz
(node:79648) Warning: Setting the NODE_TLS_REJECT_UNAUTHORIZED environment variable to '0' makes TLS connections and HTTPS requests insecure by disabling certificate verification.
(Use `node --trace-warnings ...` to show where the warning was created)
gyp WARN install got an error, rolling back install
gyp ERR! configure error
gyp ERR! stack FetchError: request to https://nodejs.org/download/release/v16.13.1/node-v16.13.1-headers.tar.gz failed, reason: unable to get local issuer certificate
gyp ERR! stack     at ClientRequest.<anonymous> (/opt/homebrew/lib/node_modules/node-gyp/node_modules/minipass-fetch/lib/index.js:110:14)
gyp ERR! stack     at ClientRequest.emit (node:events:390:28)
gyp ERR! stack     at TLSSocket.socketErrorListener (node:_http_client:447:9)
gyp ERR! stack     at TLSSocket.emit (node:events:402:35)
gyp ERR! stack     at emitErrorNT (node:internal/streams/destroy:157:8)
gyp ERR! stack     at emitErrorCloseNT (node:internal/streams/destroy:122:3)
gyp ERR! stack     at processTicksAndRejections (node:internal/process/task_queues:83:21)
gyp ERR! System Darwin 21.2.0
gyp ERR! command "/opt/homebrew/Cellar/node@16/16.13.1_1/bin/node" "/opt/homebrew/bin/node-gyp" "configure"
gyp ERR! cwd /Users/andig/htdocs/evcc
gyp ERR! node -v v16.13.1
gyp ERR! node-gyp -v v8.4.1
gyp ERR! not ok

Is there any way to trace what call is going on with the GET? I can open the URL just fine in any browser.

❯ curl https://nodejs.org/download/release/v16.13.1/node-v16.13.1-headers.tar.gz > foo
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  549k  100  549k    0     0  3321k      0 --:--:-- --:--:-- --:--:-- 3432k

[Fjaoos]

Hi,

i just can't install keytar because node-gyp rebuild fails with this problem:

I've tried

• Set NODE_TLS_REJECT_UNAUTHORIZED=0
• SET NODE_EXTRA_CA_CERTS=C:\path\to\my\companys\cafile.pem
• uninstall/install angular

I do not know what I can try beyond this.

Can anyone recommend a solution?

[andig]

What finally worked for me is nodejs/help#3686 (comment)

[Fjaoos]

Thanks @andig I tried that. It works for the https://nodejs.org/download/release/v16.14.0/node-v16.14.0-headers.tar.gz file but after that it requires another file (which is not a tar.gz) and fails because of the certifcate issue as well.

[VerdonTrigance]

Hi,

i just can't install keytar because node-gyp rebuild fails with this problem:

I've tried

• Set NODE_TLS_REJECT_UNAUTHORIZED=0
• SET NODE_EXTRA_CA_CERTS=C:\path\to\my\companys\cafile.pem
• uninstall/install angular

I do not know what I can try beyond this.

Can anyone recommend a solution?

try
npm config set strict-ssl false

[Fjaoos]

strict-ssl=false was the first thing that I tried and has been set to false since then

[VerdonTrigance]

Did you upgrade both npm and NODE to last version?

[Fjaoos]

Node should be the current TLS

[andig]

Did you upgrade both npm and NODE to last version?

Why should one? Is there any known fix?

[VerdonTrigance]

Yes. There was a fix. And it helped for me, but my version was 2 major less than current

[jcgertig]

@Fjaoos did you ever fix this issue?

[tonjohn]

I hit this issue on node v16.14.0 and v16.16.0. However, it works fine on v16.13.1. Is anyone looking into this?

[nhurion]

on windows, version v16.16.0.
those are not working
Set NODE_TLS_REJECT_UNAUTHORIZED=0
SET NODE_EXTRA_CA_CERTS=C:\path\to\my\companys\cafile.pem

Is there a way to specify where the file should be downloaded from or do I have to hack the hosts file to avoid this blocking issue ?

[NekitCorp]

My workaround is to transfer file content cafile to ca one-line PEM format:

.npmrc:

# from
cafile=/path/to/cert.pem

# to
ca="-----BEGIN CERTIFICATE-----\nXXXX\nXXXX\n-----END CERTIFICATE-----"

[Fjaoos]

@Fjaoos did you ever fix this issue?

Unfortunately I do not remember but I am sure it was a mix of corporate proxy/firewall and very restricted windows clients.
I have since moved on from that environment.

[sereksim]

Is there a solution that actually works? I tried every suggestion...

set NODE_TLS_REJECT_UNAUTHORIZED=0
npm install -g --unsafe-perm binding
     added 1 package in 13s
npm config set strict-ssl false
set npm_config_cafile "C:\path\to\certificate.pem"
npm config set cafile "C:\path\to\certificate.pem" --global
set NODE_EXTRA_CERTS="C:\path\to\certificate.pem"
set NODE_EXTRA_CA_CERTS="C:\path\to\certificate.pem"

... and node-gyp still fails:

node-gyp configure
gyp info it worked if it ends with ok
gyp info using node-gyp@9.3.1
gyp info using node@18.13.0 | win32 | x64                                                                               
gyp info find Python using Python version 3.9.7 found at "C:\Program Files (x86)\Microsoft Visual Studio\Shared\Python39_64\python.exe"                                                                                                         gyp http GET https://nodejs.org/download/release/v18.13.0/node-v18.13.0-headers.tar.gz                                  gyp WARN install got an error, rolling back install
gyp ERR! configure error
gyp ERR! stack FetchError: request to https://nodejs.org/download/release/v18.13.0/node-v18.13.0-headers.tar.gz failed, reason: self-signed certificate in certificate chain
gyp ERR! stack     at ClientRequest.<anonymous> (C:\Users\bla\AppData\Roaming\npm\node_modules\node-gyp\node_modules\minipass-fetch\lib\index.js:130:14)
gyp ERR! stack     at ClientRequest.emit (node:events:513:28)
gyp ERR! stack     at TLSSocket.socketErrorListener (node:_http_client:496:9)
gyp ERR! stack     at TLSSocket.emit (node:events:525:35)
gyp ERR! stack     at emitErrorNT (node:internal/streams/destroy:151:8)
gyp ERR! stack     at emitErrorCloseNT (node:internal/streams/destroy:116:3)
gyp ERR! stack     at process.processTicksAndRejections (node:internal/process/task_queues:82:21)
gyp ERR! System Windows_NT 10.0.22000
gyp ERR! command "C:\\Program Files\\nodejs\\node.exe" "C:\\Users\\bla\\AppData\\Roaming\\npm\\node_modules\\node-gyp\\bin\\node-gyp.js" "configure"
gyp ERR! cwd C:\Users\bla\my\current\directory
gyp ERR! node -v v18.13.0
gyp ERR! node-gyp -v v9.3.1
gyp ERR! not ok

I also tried to manually download the tar.gz as described here: nodejs/help#3686 (comment), but that didn't change anything. Even if I have the tar.gz file in the \tmp directory, the command fails, because the commands loads multiple files, not only the tar.gz.
Maybe I could load those files manually, but without knowing every file which is downloaded in the process, that doesn't work either...

Edit: This might be connected to the issues nodejs/node#3742, #448 and the already mentioned nodejs/help#3686, but the recommendations there are similar to those here.

Edit2: Installing something with npm install doesn't work either: npm ERR! RequestError: self-signed certificate in certificate chain

[sereksim]

None of the other methods worked for me (see #695 (comment)), but this command finally solved the problem (on Windows 11):
$env:NODE_EXTRA_CA_CERTS="C:\path\to\certificate.crt"

node-gyp and npm now work without any problems.

[tooolbox]

After an hour of trying everything, NODE_TLS_REJECT_UNAUTHORIZED did not work for me, but NODE_EXTRA_CA_CERTS did.

[jbgomond]

node-gyp switched to make-fetch-happen, which does not support this this environment variable ...